What are the key components of a DMARC record?

A DMARC record includes: v=DMARC1 (version, always required); p= (policy: none, quarantine, or reject); rua= (email address for aggregate reports); ruf= (optional email for forensic reports); pct= (percentage of mail the policy applies to, default 100); sp= (optional subdomain policy); adkim= and aspf= (DKIM and SPF alignment mode: r for relaxed, s for strict).

What are common DMARC implementation challenges?

Common challenges include: identifying all legitimate sending services (ESP, CRM, transactional email, support platforms) so they all pass SPF or DKIM before tightening policy; email forwarding that breaks SPF alignment; subdomains that inherit the wrong policy; and the raw XML format of aggregate reports, which requires a parser or third-party tool to read effectively.

What is the difference between SPF, DKIM, and DMARC?

SPF (Sender Policy Framework) authorizes specific IP addresses to send mail for your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to messages that receiving servers can verify. DMARC ties them together with a policy enforcement layer and reporting: if a message fails both SPF and DKIM alignment, DMARC tells the receiving server whether to accept, quarantine, or reject it.

Free DMARC Record Generator - Build a Valid DMARC TXT Record

How to Build a DMARC Record That Actually Works

A well-configured DMARC record tells receiving mail servers what to do when authentication fails - and keeps you informed with daily reports so you can tighten your policy over time.

Start with p=none

Begin with p=none so all mail is still delivered while aggregate reports flow to your rua address. Review the data for 2–4 weeks to identify every sending source before moving to a stricter policy. Jumping straight to reject can block legitimate mail.

Set Your Reporting Address

The rua tag is where daily aggregate reports are delivered - it's your primary visibility tool. Without it you're flying blind. Set it to an address you actively monitor, or pipe it into a DMARC reporting service that parses the raw XML for you.

Cover All Sending Sources

Your ESP, CRM, transactional email provider, support platform, and any other service that sends mail using your From domain all need valid SPF or DKIM before you tighten policy. Missing even one source will cause legitimate mail to fail once you enforce quarantine or reject.

How to Generate and Publish Your DMARC Record

Enter your domain name and select a starting policy - p=none is recommended for new setups
Add an aggregate reporting address (rua) - this is where your daily DMARC reports will be sent
Optionally configure subdomain policy (sp), alignment modes, percentage (pct), and reporting interval
Click Generate DMARC and copy the generated TXT record value
In your DNS host, add a new TXT record at _dmarc.yourdomain.com and paste the value - then use the DMARC Lookup tool to confirm it's live

💡 Tip: Never publish two DMARC records for the same domain. Only one TXT record at _dmarc.yourdomain.com is valid - multiple records cause a "permerror" and DMARC fails entirely. Also remember that pct= only affects enforcement, not reporting: reports are always sent at 100% regardless of your pct value.

Effortless DMARC Record Creation: Streamline Security

This DMARC record generator guides you through the configuration step-by-step, so you get a correctly formatted record without needing to understand every tag. Choose your policy, set your reporting address, and the tool handles the rest.

Simply enter your domain name and select your preferred policy. The tool offers clear explanations for each option, allowing you to choose whether to monitor (p=none) email activity for informational purposes, quarantine (p=quarantine) suspicious emails for further review, or reject (p=reject) unauthenticated emails outright. You can also specify email addresses to receive reports detailing authentication results - valuable for identifying unauthorized senders and potential security threats.

No technical expertise required. The generator handles the complexity of crafting a valid DMARC record, saving you time and ensuring your reporting is in place from day one. With aggregate report data in hand, you can make informed decisions about tightening your policy and protecting your domain from email-based attacks.

Once you have it set up, it's time to test it with our very own Email Tester.

DMARC Tag Specification Explained

TAG	MEANING
v	Required: Specifies the version of the DMARC protocol being used. Always set to v=DMARC1 for the current DMARC protocol version.
p	Required: Specifies the policy to be enacted by the receiving mail server when DMARC authentication fails. This tag determines what action should be taken if an email fails DMARC checks. Possible Values: none: Takes no action, but generates DMARC reports. quarantine: Treats the message as suspicious, possibly placing it in the recipient's spam or quarantine folder. reject: Blocks the message outright, preventing delivery to the recipient.
sp	Specifies the policy for handling messages from subdomains of the DMARC-aligned domain. Subdomains inherit policies from their parent domain unless explicitly overridden.
rua	Specifies the URI(s) to which aggregate DMARC reports should be sent, for example: rua=mailto:your@email.com. Aggregate reports provide statistics about DMARC usage and authentication results.
ruf	Specifies the URI(s) to which forensic DMARC reports should be sent (reports about individual failed messages), for example: ruf=mailto:your@email.com. Forensic reports contain detailed information about specific messages that failed DMARC checks.
adkim	Specifies how DKIM (DomainKeys Identified Mail) alignment should be handled. DKIM alignment verifies that the DKIM signature on an email matches the sender's domain. Possible Values: r: Relaxed mode. Allows for intermediate levels of subdomain alignment. s: Strict mode. Requires exact domain name alignment.
aspf	Specifies how SPF (Sender Policy Framework) alignment should be handled. SPF alignment verifies that the SMTP MAIL FROM domain matches the domain used in the RFC5322.From header field. Possible Values: r: Relaxed mode. Allows for intermediate levels of subdomain alignment. s: Strict mode. Requires exact domain name alignment.
fo	Determines the level of detail in forensic reports generated when DMARC authentication fails. Possible Values: 0: Generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result. 1: Generate reports if any underlying authentication mechanism produces something other than a DMARC pass result. d: Generate reports regardless of the authentication result. s: Generate an SPF failure report if the message failed SPF evaluation, regardless of alignment.
rf	This tag specifies the format for forensic DMARC reports sent to the specified reporting addresses (ruf). Possible Values: afrf: Specifies the use of the Abuse Reporting Format (ARF) for forensic reports. iodef: Specifies the use of the Incident Object Description Exchange Format (IODEF) for forensic reports.
pct	Specifies the percentage of messages subjected to DMARC policy filtering. Allows gradual enforcement of DMARC policies to monitor impact before full enforcement. Any integer value from 0 to 100.
ri	Specifies the interval at which aggregate DMARC reports should be generated and sent by receivers to the specified reporting addresses (rua). For example: ri=86400 indicates that aggregate reports should be sent daily (every 86400 seconds).

Frequently Asked Questions

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that protects your domain from spoofing and phishing. It builds on SPF and DKIM by adding a policy for handling failed authentication and a reporting mechanism so you can monitor what mail is being sent in your name. Without DMARC, anyone can forge email that appears to come from your domain - and recipients have no way to tell the difference.

Use the generator above to configure your policy, reporting addresses, and alignment settings. Click Generate DMARC and copy the TXT record value. Then log into your DNS host and add a new TXT record with the name _dmarc.yourdomain.com and the generated value. DNS changes typically propagate within an hour. Use the DMARC Lookup tool to confirm the record is live and correctly formatted.

A DMARC record includes:

v=DMARC1: Version - always required, always first.
p=: Policy - none, quarantine, or reject.
rua=: Email address for daily aggregate reports (highly recommended).
ruf=: Optional email for forensic (message-level) failure reports.
pct=: Percentage of mail the policy applies to (default 100).
sp=: Optional subdomain policy, overriding the parent domain policy for subdomains.
adkim= / aspf=: DKIM and SPF alignment mode - r (relaxed) or s (strict).

Aggregate reports (rua) are daily XML summaries showing authentication pass/fail counts, source IP addresses, and policy dispositions across all mail claiming to be from your domain. They give you a broad view of your email ecosystem.

Forensic reports (ruf) are near-real-time, message-level reports for individual failures. They can include headers and sometimes body content. However, many major providers including Google and Microsoft have stopped sending forensic reports due to privacy concerns - so rua is the more reliable data source.

Common challenges include:

Undiscovered sending sources: ESPs, CRMs, transactional mail providers, and support tools all send mail in your name - you need to find them all before enforcing policy.
Email forwarding: Forwarded mail often breaks SPF alignment, causing legitimate messages to fail DMARC.
Subdomain exposure: If you don't set an sp= tag, subdomains inherit your main policy - which may be too loose or too strict depending on how they're used.
Raw report format: Aggregate reports are XML files, not human-readable emails. Most teams use a third-party reporting service to parse and visualize them.

SPF (Sender Policy Framework) authorizes specific IP addresses to send mail for your domain. It checks the envelope sender, not the visible From address.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to messages that receiving servers verify against a public key in your DNS. It proves the message wasn't altered in transit.

DMARC ties both together with policy enforcement and reporting. If a message fails both SPF and DKIM alignment with your From domain, DMARC tells the receiving server whether to accept, quarantine, or reject it - and reports the result back to you.

Free DMARC Record Generator